A common challenges for service accounts, after that 1st install, is these are "known" passwords to many team members or may become "stale" with regard to internal governance policies.

The deck (pdf) enclosed outlines the list of service accounts, the location of the password hash, the separation of duties (SOD) & functionality performed by each service account (this assume not one ID was used), and a primary method to update the password. If possible, a secondary method is also offered, if there are any issues with the primary method.

Also enclosed process, to force workstation/laptop to a particular ADS DC for testing the CA IM AD Reverse Password Sync Agent on selected DCs from one workstation; to allow full unit testing to each DCs.

Alan ... the document contains a number of steps which can be applied with careful review to a Virtual Appliance deployment. I will use the document as a guide in a couple of current projects using the vApp and provide feedback.